08-01-2018 09:07 AM - edited 02-21-2020 08:02 AM
Hello,
I am perplexed by the way ASA OS releases codes are structured. We have purchased several Firepower 2110s which came pre-loaded with release code 9.8.3. I opened a TAC case to inquire about the recommended release code and the response I received was to upgrade to release code "9.4.4 Interim". See attached. It seems that the release codes are not in a sequential order(For example, Latest release 9.8.3 but the suggested releases are 9.8.2, 9.6.4, and 9.4.4). It seems that I will need to downgrade the code we have, which is 9.8.3 to release code 9.4.4. Cisco couldn't make this any more confusing!!!
Does anyone have any clarification as how to understand the ASA release codes?
Thanks in advance!
Best, ~zK
Solved! Go to Solution.
08-02-2018 02:56 PM - edited 08-02-2018 02:57 PM
I am uploading an attachment where you will see the full path to get to the section where you can download the ASA image for the FP2K.
Thanks for pointing out your query about the software you don't find. So the ASA5506-X will use the "asa982-38-lfbff-k8.SPA"
The rest of your devices (ASA5585 and ASA5525-X) will use the asa982-38-smp-k8.bin image (multicores).
You can have an explanation on their differences on the following post: https://community.cisco.com/t5/firewalls/cisco-asa-image-versions/td-p/2908797
08-02-2018 03:20 PM
No interim upgrades are required, you can go straight. Look at this document here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html#ID-2152-0000000a
Whenever you have questions on which middle versions you should go first, go to the release notes of the version you want to go to and then go to the 'upgrade path' section, it's useful :)
08-01-2018 10:11 AM
Hello Zekebashi,
If you go into cisco.com to download software for your platform, you will notice there are some Interim releases, mostly identified by a star. These are known to be the most stable releases for each version.
If you want a recommended software by Cisco, then you would like to choose an interim one, which you will find to be a long list of interim releases per version which contain bug fixes that address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available.
Let me know if you need additional information.
08-01-2018 10:26 AM
Thanks for the response. I get what you are saying but I am still not clear. The release version we have on the Firepower 2110/ASA is release 9.8.3 and the recommended Interim releases are:
- 9.8.2, which is a release lower than 9.8.3 and has a star next to it
- 9.6.4, which is a release lower than 9.8.3 and has a star next to it
- 9.4.4, which is a release lower than 9.8.3 and has a star next to it
So, which release version is the one that we need to upgrade to?
Why is the recommended release (Interim) code has a code number lower than the release code that we shipped by Cisco? Totally confusing!!
Best, ~zK
08-01-2018 10:49 AM
I see there is a misunderstanding with the information sent by your TAC engineer, as he only referred you to information concerned to ASA5500-X platforms, but for ASA running on a 2110 platform.
ASA on FPR2100 is compatible starting on 9.8.2 code. Your device will not necessarily come with an interim version, but you can upgrade it into anyone you choose.
As you will notice, every release can have its own interim versions, so it does not mean that you must downgrade to run a stable version. If Cisco has identified interim/stable versions within later releases, you can feel free to upgrade into one of them.
I recommend you to always check the release notes for the version you want to choose so you can learn what is resolved and what is still pending to be resolved in terms of bugs, or what new features does that release has.
08-01-2018 11:16 AM - edited 08-01-2018 01:56 PM
Thanks!
"As you will notice, every release can have its own interim versions". I am not clear on this. Refer to the attachment. What would the interim release be for 9.8.3? The available "Suggested Interim Releases" are: 9.8.2, 9.6.4, 9.4.4. Are you saying that if we decided to upgrade code 9.8.3, we could choose any one of these "Suggested Interim Releases" even though they vary in their code numbers, meaning one is 9.8.2, another is 9.6.4, and the last one is 9.4.4 and none of them has the subsequent code number to 9.8.3, which I think should either be 9.8.4 or 9.9.x!
We would like to standardize the ASA OSs on the following appliances:
- FP2110/ASA - Current release code 9.8.3
- 5585 - Current release code 9.2(4)18
- 5525 - Current release code 9.1(6)11
- 5506 - Current release code 9.8.3
What would be the recommended release code to upgrade to for all of these appliances?
Thanks..
08-01-2018 02:35 PM - edited 08-01-2018 02:36 PM
I am not sure why 9.8.3 has not an interim release; every release can have it, but it's not a most. Remember I mentioned that FPR2100 supports ASA code starting in 9.8.2 version, and the suggested interim releases you mention, applies to ASA5500-X.
I cannot recommend you a specific code to use, as you have to carefully choose depending on your environment, features, etc., for which I suggest you to take a look at the release notes of the version you choose to standardize across your devices.
After you look on them, you can confirm which release is equally supported for your devices, and you can look on this information at the Cisco ASA Compatibility matrix
What I found looking at the Interim releases for each platform, is that the common and suggested release across your platforms is 9.8.2 Interim release. (asa982-38-lfbff-k8.SPA and cisco-asa-fp2k.9.8.2.38.SPA - for FP2100) You may want to go to this one, but please take a look at the release notes below first.
ASA 9.8.2 Release notes:
08-02-2018 02:06 PM
Thanks again!
I tried to look under the 9.8.2 Interim file names for the file names you suggested but couldn't find them. The closest one was: asa982-38-smp-k8.bin. Where did you find the file?
Also, I found these two sources pretty useful: https://software.cisco.com/research/home?pid=283123066&sid=280775065&cr=
Thanks in advance. ~zK
08-02-2018 02:56 PM - edited 08-02-2018 02:57 PM
I am uploading an attachment where you will see the full path to get to the section where you can download the ASA image for the FP2K.
Thanks for pointing out your query about the software you don't find. So the ASA5506-X will use the "asa982-38-lfbff-k8.SPA"
The rest of your devices (ASA5585 and ASA5525-X) will use the asa982-38-smp-k8.bin image (multicores).
You can have an explanation on their differences on the following post: https://community.cisco.com/t5/firewalls/cisco-asa-image-versions/td-p/2908797
08-02-2018 03:07 PM
Great!
One final question, when upgrading the 9.2(4) code to 9.8.2, do we have to use the interim codes (9.4(x), and 9.6(x) first or can we upgrade it from code 9.2(4) directly to code 9.8.2?
Thanks, ~zK
08-02-2018 03:20 PM
No interim upgrades are required, you can go straight. Look at this document here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html#ID-2152-0000000a
Whenever you have questions on which middle versions you should go first, go to the release notes of the version you want to go to and then go to the 'upgrade path' section, it's useful :)
08-02-2018 03:50 PM
Super!
Thank you very much, Sergio! Much appreciated.
08-02-2018 05:11 PM
Most than welcome!!
04-15-2019 05:56 AM
Hello,
Was your upgrade from 9.2(4) to 9.8 successful? I am going 9.2(4) to latest 9.8(3)29, so have the same question as to if this is possible or I need to go to interim releases.
04-15-2019 08:26 AM
Hello,
I have performed the upgrade yet. I have confirmed with Cisco TAC that the upgrade from the 9.2.x to 9.8.x build doesn't require an interim upgrade.
My question to TAC:
Upgrading from the current release (9.2(4)18) directly to release 9.8.(3)21 is fine. It doesn't require to upgrade to an intermediate releases, is this correct?
TAC response: That is correct, is not required to install any intermediate image to get to the desired version 9.8.3.21.
Best, ~zK
04-15-2019 09:01 AM
Hello Julian, you should be safe to jump directly to 9.8(3)29 :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide